We have to stop improperly referring to information assurance as information security.

Yes, I know that many of us who grew up in the world of ISO 17799 have based our language on the language found there, where the ISO team bulked information confidentiality, information integrity, and information availability into one group and called it information security. But security is only one facet of protecting information.

Security still applies, but there's more to it.
If you think about securing (locking down) information, then yes, ensuring privacy and soundness are about security. Accessibility isn't as much about locking down as making available. But the thought pattern of information security doesn't bring to the forefront of our minds the additional aspects of assurance through confidence based on measurement metrics and accountability reporting. And that is why I'd like all of us to change our language and talk more about information assurance than information security.

The move toward information assurance is found in organizational accountability
We will begin changing our thought patterns and changing our language as we begin to re-think security in terms of measured confidence in our accountability. And we can only do that when we start to add the proper metrics and reporting to our information assurance plans. And that's another thing that ISO 17799 left out -- metrics and reporting of accountability for compliance with its own ruleset.

Information assurance is about defining rules for maintaining information privacy, protecting information soundness, and ensuring information accessibility by mandating that someone (or multiple people) are held accountable that organizational policies, standards, and procedures are created to match the mandatory regulatory controls, and are properly paired to the information systems within the organization.

It is assurance through accountability that we want to espouse.

That's the mindset we want to build.